pfSense :: Configuring OpenVPN

In this post I am going to configure OpenVPN on pfSense and export client certificate for usage on client devices.

  1. Configuring new Certicate authority Manager
  2. Adding new System Certificate for OpenVPN
  3. Adding user Certificate
  4. Configuring OpenVPN Server.
Configuring new Certicate authority Manager
  1. Click System – Cert Manager and click the + in lower left corner when standing in the CAs tab
    01-cert-manager
  2. Give it a Descriptive Name and change the Method to Create an internal Certificate Authority.
  3. Set Digest Algorithm to something no less than SHA256 and fill out the data in the Distinguished name section.
    Click Save when done.
    02-CAs
  4. We can now see our CAs. The one we just created is listed as self-signed in the Issuer column
    03-CAs
 Adding new System Certificate for OpenVPN

After creating the internal Certificate Authority we are going to create a Certificate signed with the new CA and use it for our OpenVPN server.

  1. Click Certificates and change Method to Create an internal Certificate.
  2. Give it a Descriptive name like pfSense OpenVPN.
  3. Use Key lenght at 2048 or higher and Digest Algorithm at SHA256 or higher.
  4. Change Certificate Type to Server Certificate
  5. The Distinguished name section will be partly filled out, but you need to carefully enter FQDN of your pfSense insallation.
  6. You can click the + next to Alternative Names, to add additional connection options.
    04-internal-certificate
  7. Click Save when done, and you can now view your newly created internal server certificate under the Certificates tab.
Adding user Certificate

We need to create a certificate for our user to use when connecting to our OpenVPN server.

  1. Click System – Cert Manager and click the + in lower left corner when standing in the CAs tab
    01-cert-manager
  2. Change Method to Create an internal Certificate.
  3. Give it a Descriptive Name like “User OpenVPS Cert”
  4. Certificate authority: make sure you use the CA we just created.
  5. Key length: 2048 or higher
  6. Change Certificate Type to User Certificate.
    17-2-OpenVPN
Configuring OpenVPN Server

Now we configure pfSense to act as an OpenVPN server. Our server is going to be of the Local User Access type. The two other options are LDAP and Radius.

  1. Click VPN – OpenVPN
    05-OpenVPN
  2. Click the Wizards tab
    06-OpenVPN
  3. Set Type of Server to Local User Access – Next
    07-1-OpenVPN
  4. Select the CA we created in Configuring new Certicate authority Manager and click Next.
    08-1-OpenVPN
  5. Select the Certificate we created in Adding new System Certificate for OpenVPN named pfSense OpenVPN andClick Next.
    09-OpenVPN
  6. General OpenVPN Server Information
    Add a Description and let the other options stay as default.
    Interface: WAN
    Protocol: UDP
    Port: 1194
    10-OpenVPN
  7. Cryptographic Settings
    You might want to change settings here, but I’m enabling TLS Authentication and enabling Generate TLS key.
    DH Parameters Length at 2048 or higher.
    Encryption Algorithm: This might vary depending on your hardware. I’m choosing AES-256-CBS (256-bit). Be sure your clients can use the same.
    I have no Hardware Crypto unit, but be sure to use it, if you have on installed!
    11-OpenVPN
  8. Tunnel Settings
    Tunnel Network: Set this to some network scope which you are not currently using. Ie: if you LAN is 192.168.1.0 you might want to use 192.168.2.0 here.
    Enabling Redirect Gateway.
    Local Network: if you LAN is 192.168.1.0 and you want you VPN clients to access this segment, you want to specify it here like 192.168.1.0/24. Leave it blank if you do not want your VPN clients to have access to local ressources.
    Current Connections: 10 – default.
    Compression: enabled.
    Inter-Client Communication: enable this, if you want your VPN clients to view each other.
    13-OpenVPN
  9. Client Settings
    Dynamic IP: clients keep their connection even if they change their IP.
    Address Pool: Provide an IP to clients from the address space we selected in step 8 above (192.168.2.0).
    DNS Default domain: provide one if applicable for your Network.
    DNS Server: provide DNS IP if you want your VPN clients to use a specific DNS server. In this example, we use pfSense as DNS
    14-OpenVPN
  10. Firewall Rule Configuration
    We must allow the two selections in order for our VPN configuration to function.
    Alternatively you can configure the settings manually later, but I can’t see why you would want to do that.
    15-OpenVPN
  11. Here we can see our finished OpenVPN server
    16-OpenVPN

 

 

Posted in Firewall, pfSense Tagged with:

Leave a Reply